TESTZILLA: Privacy Policy

Last Updated: January 14, 2026 Effective Date: January 14, 2026

1. Introduction

Testzilla ("we", "us", "our") is an AI-powered voice and chatbot testing platform operated by LEMA Logic Limited, a company registered in the Isle of Man (Company Number: TBC).

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at testzilla.ai and related services (the "Service").

Data Controller: LEMA Logic Limited Registered Address: Isle of Man (Full address available on request) Contact: [email protected]

2. Information We Collect

2.1 Account Information

When you register for Testzilla, we collect:

• Name and email address

• Company name and job title

• Password (encrypted)

• Billing information (processed by our payment provider)

2.2 Usage Data

We automatically collect:

• IP address, location, and device information

• Browser type and version

• Pages visited and features used

• Test execution logs and session data

• Timestamps and interaction patterns

2.3 Test Data

Testzilla is designed to be used with test data, not actual customer or user information. Ensure that your testing does not disclose any actual confidential information.

You provide test data when using our Service:

• Conversation transcripts (synthetic/test data)

• Voice recordings (synthetic by default)

• Test scenarios and configurations

• API keys and webhook URLs (encrypted)

Important: Our terms require you to use synthetic/fictional data for testing. You must not upload or access real personal data unless you have obtained explicit consent and have a lawful basis for processing.

2.4 Production Call Data (Optional Features)

If you use our Post-Call Analysis or EasyAlerts features:

• Audio recordings: Processed temporarily, NOT stored by Testzilla

• Transcripts: Retained per your subscription plan (EasyAlerts only)

• Analysis results: Aggregated metrics and reports stored

2.5 Cookies and Tracking

We use:

• Essential cookies: Session management, authentication

• Analytics cookies: Google Analytics, Firebase Analytics

• Affiliate tracking: Cookie to track referral sources (30-day expiry)

3. How We Use Your Information

We use your information to:

3.1 Provide the Service

• Create and manage your account

• Execute and analyze tests

• Generate reports and insights

• Process payments and subscriptions

3.2 Improve the Service

• Analyze usage patterns

• Develop new features

• Fix bugs and optimize performance

• Train and improve our AI models (anonymized data only)

3.3 Communicate With You

• Send service notifications

• Respond to support requests

• Provide product updates

• Send marketing communications (with consent)

3.4 Legal and Security

• Comply with legal obligations

• Prevent fraud and abuse

• Protect our rights and property

• Enforce our terms of service

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

Service delivery

• Legal Basis: Contract (Article 6(1)(b))

Payment processing

• Legal Basis: Contract (Article 6(1)(b))

Security and fraud prevention

• Legal Basis: Legitimate interests (Article 6(1)(f))

Analytics and improvement

• Legal Basis: Legitimate interests (Article 6(1)(f))

Marketing communications

• Legal Basis: Consent (Article 6(1)(a))

Legal compliance

• Legal Basis: Legal obligation (Article 6(1)(c))

Special Category Data (Article 9)

Voice recordings may constitute biometric data. We handle this by:

• Requiring synthetic voices by default

• Requiring explicit consent for human voice testing

• Implementing enhanced security for voice data

• Not storing production call audio recordings

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We share data with trusted providers who help us operate the Service:

Infrastructure & Hosting

Google Cloud Platform (Firebase)

• Purpose: Hosting, database, authentication, push notifications

• Location: US East

• Safeguards: SCCs, DPA

Cloudflare

• Purpose: CDN, DNS, DDoS protection, edge computing

• Location: Global

• Safeguards: DPA, GDPR-compliant

Payment Processing

Paddle

• Purpose: Subscription billing (Merchant of Record)

• Location: UK

• Safeguards: DPA, GDPR-compliant, PCI DSS

Stripe

• Purpose: One-time payments (legacy)

• Location: US/EU

• Safeguards: PCI DSS, SCCs

Voice AI Testing Providers

We use voice AI providers to perform automated testing of your voice agents. We may connect via:

• Our platform accounts: For test execution from Testzilla's infrastructure

• Your integration accounts: If you provide API keys to test your own voice AI deployments

Retell AI

• Purpose: Voice AI testing (WebRTC, phone calls)

• Location: US

• Safeguards: DPA available

VAPI

• Purpose: Voice AI testing (WebRTC, phone calls)

• Location: US

• Safeguards: DPA available

Twilio

• Purpose: Telephony infrastructure (used by Retell/VAPI)

• Location: US

• Safeguards: SCCs, GDPR-compliant

Note: Voice test data is processed by the relevant provider. We do not store voice recordings from test calls. If you provide your own API keys, tests run against your accounts and usage is billed to you by that provider.

AI/LLM Providers

For test evaluation and analysis:

OpenAI

• Purpose: LLM-based test evaluation (GPT-4o)

• Location: US

• Safeguards: DPA, SCCs

Anthropic

• Purpose: LLM-based test evaluation (Claude)

• Location: US

• Safeguards: DPA available

Note: Test transcripts are sent to LLM providers for evaluation. No personal data should be in test transcripts (synthetic data required).

Analytics & Communications

Google Analytics

• Purpose: Web analytics

• Location: US

• Safeguards: SCCs, IP anonymization

Firebase Analytics

• Purpose: App analytics

• Location: US

• Safeguards: SCCs, DPA

SendGrid

• Purpose: Transactional email delivery

• Location: US

• Safeguards: DPA, SCCs

Resend

• Purpose: Transactional email delivery

• Location: US

• Safeguards: DPA, GDPR-compliant

Development & Operations (No User Data)

These services are used for development and operations but do not process end-user personal data:

GitHub

• Purpose: Source code hosting

• Note: No user data stored

Asana

• Purpose: Internal task management

• Note: No user data stored

5.2 We Never

• Sell your personal data

• Share data for third-party marketing

• Use your test data to train models shared with others

5.3 Legal Disclosure

We may disclose information if required by:

• Court order or legal process

• Government or regulatory request

• Protection of our legal rights

• Prevention of fraud or security threats

6. International Data Transfers

Your data is processed primarily in the United States (Google Cloud US East region).

For UK/EEA users: Transfers are protected by:

• Standard Contractual Clauses (SCCs)

• Google's GDPR Data Processing Agreement

• Additional technical and organizational safeguards

• Encryption in transit and at rest

7. Data Retention

Account data

• Retention Period: Active account + 30 days

Test data

• Retention Period: Per subscription plan (90 days - 2 years)

Transaction data

• Retention Period: 7 years (legal requirement)

Audit logs

• Retention Period: 2-7 years (security compliance)

Marketing consents

• Retention Period: Until withdrawn

After account closure: All data deleted within 30 days, except where retention is legally required.

8. Your Rights (GDPR/UK GDPR)

You have the right to:

8.1 Access

Request a copy of your personal data.

8.2 Rectification

Correct inaccurate or incomplete data.

8.3 Erasure ("Right to be Forgotten")

Request deletion of your data (subject to legal exceptions).

8.4 Restriction

Limit how we process your data.

8.5 Data Portability

Receive your data in a portable format (JSON, CSV).

8.6 Object

Object to processing based on legitimate interests.

8.7 Withdraw Consent

Withdraw consent for marketing or optional processing.

8.8 Lodge a Complaint

Contact your local data protection authority:

• Isle of Man: Information Commissioner ([email protected])

• UK: ICO (ico.org.uk)

To exercise your rights: Email [email protected]

9. Security

We implement industry-standard security measures:

• Encryption: TLS 1.3 (transit), AES-256 (rest)

• Authentication: Multi-factor authentication (MFA) available

• Access Control: Role-based access, least privilege

• Monitoring: 24/7 security monitoring, intrusion detection

• Auditing: Access logs, security audits

• Certifications: SOC 2 Type II (planned)

10. Children's Privacy

Testzilla is a business-to-business service not directed at children. We do not knowingly collect personal information from anyone under 18 years of age. We do not knowingly collect data from children under 13 (COPPA) or 16 (GDPR). If we learn we have collected personal information from a child, we will delete it promptly. If you believe we have inadvertently collected such data, contact us immediately at [email protected].

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Email notification

• In-app notification

• Posting on our website

Your continued use after changes constitutes acceptance.

12. Contact Us

For privacy inquiries or to exercise your rights:

Email: [email protected] Subject: Privacy Request - [Your Request Type]

LEMA Logic Limited Engine House Castletown, Isle of Man IM9 1TG

We will respond within 30 days (or sooner as required by law).

13. Automated Decision-Making

We use AI/LLM systems to:

• Evaluate test results and generate pass/fail/score determinations

• Analyze conversation transcripts for quality metrics

• Generate recommendations and insights

These automated processes inform your testing insights but do not make decisions with legal or similarly significant effects on you. The outputs are informational tools to assist your quality assurance process. You may request human review of any automated analysis by contacting [email protected].

14. Email Communications

Marketing Emails

We only send marketing communications with your consent. You may unsubscribe at any time using the unsubscribe link in any marketing email. We will honor opt-out requests within 10 business days.

Transactional Emails

We send necessary service communications (account confirmations, billing notifications, security alerts) without separate consent as they are required for service delivery.

15. Cookies and Consent

Cookie Consent

When you first visit our website, we display a cookie consent banner. We only set non-essential cookies after you provide consent.

Cookie Categories

Strictly Necessary Cookies

• Purpose: Essential site functionality

• Examples: Session cookies, authentication

• Consent Required: No

Analytics Cookies

• Purpose: Understanding usage

• Examples: Google Analytics, Firebase

• Consent Required: Yes

Marketing Cookies

• Purpose: Tracking referrals

• Examples: Affiliate tracking

• Consent Required: Yes

Managing Cookies

• Consent Tool: Click "Cookie Settings" in our website footer to modify preferences

• Browser Settings: Configure your browser to block or delete cookies

• Opt-Out Links: Google Analytics: https://tools.google.com/dlpage/gaoptout

Cookie Duration

Session ID

• Purpose: Authentication

• Duration: Session

Consent preferences

• Purpose: Remember your choices

• Duration: 12 months

Analytics

• Purpose: Usage tracking

• Duration: 24 months

Affiliate tracking

• Purpose: Referral attribution

• Duration: 30 days

You may withdraw consent at any time without affecting the lawfulness of prior processing.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

Identifiers

• Examples: Name, email, IP address

• Collected: Yes

• Sold/Shared: No

• Business Purpose: Service delivery, authentication

Commercial Information

• Examples: Purchase history, subscription data

• Collected: Yes

• Sold/Shared: No

• Business Purpose: Billing, service fulfillment

Internet Activity

• Examples: Browsing history, usage logs

• Collected: Yes

• Sold/Shared: No

• Business Purpose: Analytics, improvement

Geolocation

• Examples: Approximate location via IP

• Collected: Yes

• Sold/Shared: No

• Business Purpose: Service delivery, fraud prevention

Professional Information

• Examples: Job title, company

• Collected: Yes

• Sold/Shared: No

• Business Purpose: Account management

Sensitive PI - Biometric

• Examples: Voice data (if human voice testing)

• Collected: Limited

• Sold/Shared: No

• Business Purpose: Test execution (with consent)

Your California Rights

1. Right to Know: Request disclosure of PI collected, sources, purposes, and third parties

2. Right to Delete: Request deletion of your PI (subject to exceptions)

3. Right to Correct: Request correction of inaccurate PI

4. Right to Opt-Out of Sale/Sharing: We do not sell or share your PI for cross-context behavioral advertising

5. Right to Limit Sensitive PI Use: Request limitation of sensitive PI processing

6. Right to Non-Discrimination: We will not discriminate against you for exercising these rights

Exercising Your Rights

Submit requests via:

• Email: [email protected] (subject: "California Privacy Request")

• We will verify your identity and respond within 45 days

Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We require written authorization and identity verification.

Financial Incentives

We do not offer financial incentives for the collection or sale of personal information.

"Do Not Sell or Share My Personal Information"

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

17. Other US State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, and other states with comprehensive privacy laws may have additional rights including:

• Right to Access: Confirm whether we process your data and obtain a copy

• Right to Correct: Correct inaccuracies in your data

• Right to Delete: Request deletion of your data

• Right to Data Portability: Receive your data in a portable format

• Right to Opt-Out: Opt out of:

  • Targeted advertising

  • Sale of personal data

  • Profiling for decisions with legal/significant effects

Submitting Requests

Email [email protected] with subject "US State Privacy Request - [Your State]"

Appeals

If we deny your request, you may appeal by emailing [email protected] with subject "Privacy Request Appeal". We will respond within the timeframe required by your state's law.

Universal Opt-Out Signals

We honor Global Privacy Control (GPC) signals for opt-out of sale/sharing where required by law.

18. Australian Privacy Rights

If you are located in Australia, the Australian Privacy Principles (APPs) under the Privacy Act 1988 apply to our handling of your personal information.

Cross-Border Disclosure (APP 8)

Your personal information may be disclosed to recipients in:

• United States (cloud hosting, service providers)

• United Kingdom (payment processing)

• Isle of Man (our headquarters)

We take reasonable steps to ensure overseas recipients handle your information in accordance with the APPs.

Your Rights

• Access: Request access to your personal information

• Correction: Request correction of inaccurate information

• Complaints: You may lodge a complaint with us at [email protected] or the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au

19. Canadian Privacy Rights (PIPEDA)

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies.

Consent

We collect, use, and disclose your personal information only with your knowledge and consent, except where permitted by law.

Cross-Border Transfers

Your personal information may be processed in the United States by our service providers. By using our Service, you consent to this transfer. We ensure contractual protections are in place.

Your Rights

• Access: Request access to your personal information

• Correction: Challenge the accuracy and completeness of your information

• Withdraw Consent: Withdraw consent subject to legal or contractual restrictions

Complaints

You may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca

20. Brazilian Privacy Rights (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides additional rights.

Your Rights Under LGPD

• Confirmation: Confirm whether we process your data

• Access: Access your personal data

• Correction: Correct incomplete or inaccurate data

• Anonymization/Blocking/Deletion: Request these for unnecessary or excessive data

• Portability: Receive your data in a portable, interoperable format

• Deletion: Request deletion of data processed with consent

• Information: Know about public/private entities with whom we share your data

• Revocation: Revoke consent at any time

Data Protection Contact

For LGPD matters: [email protected]

Complaints

You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

International Transfers

Your data may be transferred internationally under Standard Contractual Clauses that provide adequate protection.

21. Jurisdiction

This Privacy Policy is governed by the laws of the Isle of Man and applicable UK/EU data protection law.

Document Version: 2.0 DPIA Reference: Testzilla DPIA